Search syntax for alerts
- Tugba Turhan
Field references for searching alerts
You can use field:value combination with most of the alert fields.
Condition | Description |
|---|---|
createdAt : 1470394841148 | Unix timestamp in milliseconds format. (1470394841148 -> Fri, 05 Aug 2016 11:00:41.148 GMT) |
createdAt : 15-05-2020 | DD-MM-YYYY time format. |
lastOccurredAt : 1470394841148 | Unix timestamp in milliseconds format. (1470394841148 -> Fri, 05 Aug 2016 11:00:41.148 GMT) |
snoozedUntil : 1470394841148 | Unix timestamp in milliseconds format. (1470394841148 -> Fri, 05 Aug 2016 11:00:41.148 GMT) |
alertId : b9a2fb13-1b76-4b41-be28-eed2c61978fa | Id of the alert. |
tinyId : 28 | Short id assigned to the alert. Be careful, using this field is not recommended because it rolls. |
alias : host_down | Alias of the alert to be retrieved. Using alias will only retrieve an open alert with that alias if it exists. |
count : 5 | If any source attempts to create a new alert where there is an open alert with the given alias, the count value of the open alert will be increased by one instead of creating another alert. |
message : Server apollo average
| string |
description : Monitoring tool is reporting that the | string |
source : john.smith@atlassian.com | string |
entity : entity1 | string |
status : open | open | closed |
owner : john.smith@atlassian.com
| Assignee |
acknowledgedBy : john.smith@atlassian.com | Jira Service Management Username |
closedBy: john.smith@atlassian.com | Jira Service Management Username |
recipients : john.smith@atlassian.com | Jira Service Management Username |
isSeen : true | true | false |
acknowledged : true | true | false |
snoozed : false | true | false |
teams : team1 | Name of the team. |
integration.name : "API Integration" | Name of the integration. |
integration.type : API | Type of the integration. |
tag : EC2 | string |
actions : start | string |
details.key : Impact | string |
details.value : External | string |
detailsPair (error : errormessage) | string |
Condition operators
In addition of : exact match operator; you can also use <, <=, > and >= operators.
Examples |
|---|
count > 5 |
count <= 4 |
lastOccurredAt < 1470394841148 |
Logical operators
Combine multiple value(s) by using AND and OR operators. Just don't forget to wrap them with ( ) parentheses.
Example | Description |
|---|---|
message: (lorem OR ipsum) | message field contains "lorem" or "ipsum" |
description: (lorem AND ipsum) | description field contains both "lorem" and "ipsum" |
Also you can combine multiple condition(s) by using AND and OR operators.
Examples |
|---|
message: lorem AND count >= 3 |
message: (lorem OR ipsum) AND count >= 3 |
status: open AND (count >= 3 OR entity:lipsum) |
Use the NOT search query to disqualify search results for a certain value.
Examples | Description |
|---|---|
NOT message: lorem | message field does not contain lorem |
NOT status: open | status of alert results are not open, i.e, closed or resolved |
Using asterisk (*) as a wildcard
Wildcards can only be used after characters and will only match from the start of character sequences. Character sequences need to be separated by a space for the wildcard to try and match to each sequence of characters.
Example
Let’s say you’re looking for an alert where the Alert message field starts with "lorem" but you cannot remember the rest of the message.
Type the following in the search box:
message: lorem*This will search for character sequences beginning with “lorem” in the Alert message field and list the matching results.
In your results, the wildcard might appear as a character sequence on its own, or it might be the beginning of a sequence:
Lorem ipsum dolor
Loremipsum123
qui do Lorem ipsum
However, your search won’t match if the wildcard is in the middle of a character sequence:
qui dolorem ipsum
In other words, the wildcard should be at the beginning of a character sequence or should be separate to be found with an asterisk.
Wildcards are not supported for teams and users. This means that you can't use an asterisk (*) while searching alerts with a team name or a user name. Enter the full name of your team or user to get the correct results.
Null Queries
Null queries can be used to list alerts which contain, or do not contain, a field. Please note that, a field is considered null, if it is not set or if it is blank.
Null query supported fields: source, entity, tag, actions, owner, teams, acknowledgedBy, closedBy, recipients, details.key, details.value, integration.name, integration.type.
Examples |
|---|
owner : null |
teams is null |
details.key is not null |
tag !: null |